Re: Build failure of 1.6 and openssl 0.9.8

2015-10-19 Thread Christopher Faulet
was introduced by this patch : commit 7969a33a01c3a70e48cddf36ea5a66710bd7a995 Author: Christopher Faulet <cfau...@qualys.com> Date: Fri Oct 9 11:15:03 2015 +0200 MINOR: ssl: Add support for EC for the CA used to sign generated certificate This is done by adding EVP_P

Re: haproxy 1.6.0 crashes

2015-10-19 Thread Christopher Faulet
://www.mail-archive.com/haproxy@formilux.org/msg19995.html Regards -- Christopher Faulet

Re: haproxy 1.6.0 crashes

2015-10-15 Thread Christopher Faulet
prime256v1 after applying commit d2cab92, haproxy seems to crash. Hi, I confirm the bug. Here is a very quick patch. Could you confirm that it works for you ? -- Christopher Faulet diff --git a/include/types/connection.h b/include/types/connection.h index dfbff6a..070d779 100644

Re: 1.6 segfaults

2015-10-15 Thread Christopher Faulet
-- Christopher Faulet

[PATCH] BUG: ssl: Fix conditions to release SSL_CTX when a SSL connection is closed

2015-10-15 Thread Christopher Faulet
Hi, Here is a proper patch to fix the recent bug reported on haproxy 1.6.0 when SNI is used. Willy, I didn't wait your reply to speed-up the code review. But if there is any problem with this patch, let me know. Regards, -- Christopher Faulet >From c89e1256113aa36826b00706094ccde984906

Re: haproxy 1.6.0 crashes

2015-10-15 Thread Christopher Faulet
Le 15/10/2015 14:45, Seri, Kim a écrit : Christopher Faulet <cfaulet@...> writes: I confirm the bug. Here is a very quick patch. Could you confirm that it works for you ? Hi, I can confirm this patch fixes the crash!! cf. because of my mail service, I've changed my e-mail Thanks

[PATCH] MINOR: http: Add OPTIONS in supported http methods (found by, find_http_meth)

2015-10-08 Thread Christopher Faulet
Hi, The 'OPTIONS' method was not in the list of supported HTTP methods and find_http_meth return HTTP_METH_OTHER instead of HTTP_METH_OPTIONS. Regards -- Christopher Faulet >From ec4669273b06bee074389baa2d00ef0202dbea1c Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@qual

Minor SSL fixes

2015-10-08 Thread Christopher Faulet
Hi, Here are some SSL fixes. The last one is a fix to a bug reported in a previous thread[1]. [1] https://www.mail-archive.com/haproxy@formilux.org/msg19243.html Regards, -- Christopher Faulet >From 4994166ef6be91e768607c67e431d5fc20fbde1e Mon Sep 17 00:00:00 2001 From: Christopher Fau

Re: haproxy 1.6.0 crashes

2015-10-16 Thread Christopher Faulet
Le 15/10/2015 16:55, Willy Tarreau a écrit : Hi Christopher, On Thu, Oct 15, 2015 at 03:22:52PM +0200, Christopher Faulet wrote: Le 15/10/2015 14:45, Seri, Kim a écrit : Christopher Faulet <cfaulet@...> writes: I confirm the bug. Here is a very quick patch. Could you confirm that it

Re: haproxy 1.6.0 crashes

2015-10-16 Thread Christopher Faulet
expensive or not. Functionally, I agree with you. It would be better to keep info on SSL_CTX object inside this object. And, at the beginning, I considered using these functions. But I was not enough confident to do it. Maybe Emeric can enlighten us. -- Christopher Faulet

Re: [PATCH] BUG: ssl: Fix conditions to release SSL_CTX when a SSL connection is closed

2015-10-16 Thread Christopher Faulet
Le 15/10/2015 16:50, Christopher Faulet a écrit : Hi, Here is a proper patch to fix the recent bug reported on haproxy 1.6.0 when SNI is used. Willy, I didn't wait your reply to speed-up the code review. But if there is any problem with this patch, let me know. Regards, After our discussion

Re: haproxy 1.6.0 crashes

2015-10-20 Thread Christopher Faulet
Le 19/10/2015 17:01, Willy Tarreau a écrit : On Mon, Oct 19, 2015 at 03:06:44PM +0200, Christopher Faulet wrote: OK so the unused objects in the tree have a refcount of 1 while the used ones have 2 or more, thus the refcount is always valid. Good that also means we must not test if the tree

Re: haproxy 1.6.0 crashes

2015-10-20 Thread Christopher Faulet
on my understanding of your explanations, it should do the right thing and be safe all the time. What's your opinion ? Yes, it should work and it avoids keeping extra info on generated certificates. Good idea ! -- Christopher Faulet

Re: haproxy 1.6.0 crashes

2015-10-20 Thread Christopher Faulet
Le 20/10/2015 14:41, Willy Tarreau a écrit : On Tue, Oct 20, 2015 at 02:14:37PM +0200, Christopher Faulet wrote: Le 20/10/2015 14:07, Willy Tarreau a écrit : On Tue, Oct 20, 2015 at 01:59:52PM +0200, Willy Tarreau wrote: Then my understanding is that we should instead proceed differently

Re: Minor SSL fixes

2015-10-09 Thread Christopher Faulet
for your work and your feedback. I have split my patch in 3 parts. -- Christopher Faulet >From c9ceb5e9f575c012c3c63fc9f18f0416a01d7444 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@qualys.com> Date: Fri, 9 Oct 2015 10:53:31 +0200 Subject: [PATCH 1/3] MINOR: ssl: Read the

Re: Minor SSL fixes

2015-10-09 Thread Christopher Faulet
Le 09/10/2015 12:19, Willy Tarreau a écrit : On Fri, Oct 09, 2015 at 11:59:00AM +0200, Christopher Faulet wrote: Le 09/10/2015 10:27, Willy Tarreau a écrit : Hi Christopher, I applied the first two ones, but the last one seems to be doing a lot of stuff at the same time. It's not even clear

Re: certificate generation

2015-09-07 Thread Christopher Faulet
extension to set the remote hostname. So be sure that your clients use it. -- Christopher Faulet

Filters bugfixes

2016-06-21 Thread Christopher Faulet
Hi, Here are 2 patches fixing bugs in data filtering. -- Christopher >From bdfa4535d6fe1f0f5bca52a48d2e4205e41bbd81 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <christopher.fau...@capflam.org> Date: Tue, 21 Jun 2016 10:44:32 +0200 Subject: [PATCH 1/2] BUG/MEDIUM: filters:

Re: [PATCH] MAJOR: ssl: add 'tcp-fallback' bind option for SSL listeners

2016-02-09 Thread Christopher Faulet
Le 09/02/2016 09:04, Willy Tarreau a écrit : thanks for this. It looks clean enough to be merged. I'm a little bit concerned with the addition of conn->ssl_detection_exp because we try to keep the connection struct as small as possible. But in this case there's no other place to store it. Thus

[PATCH] MAJOR: ssl: add 'tcp-fallback' bind option for SSL listeners

2016-02-04 Thread Christopher Faulet
>From a3b372da2463e98b13e016c9b56344757b0e94bc Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@qualys.com> Date: Wed, 29 Jul 2015 16:01:57 +0200 Subject: [PATCH] MAJOR: ssl: add 'tcp-fallback' bind option for SSL listeners This option can be use to fall back on TCP when

[PATCH] BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates

2016-02-04 Thread Christopher Faulet
>From 5d3a89943c9eb855837c0d606ae361825b6e2800 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@qualys.com> Date: Thu, 12 Nov 2015 11:35:51 +0100 Subject: [PATCH] BUG/MINOR: ssl: Be sure to use unique serial for regenerated certificates The serial number for a generated ce

Re: [PATCH] MAJOR: ssl: add 'tcp-fallback' bind option for SSL listeners

2016-03-11 Thread Christopher Faulet
ace to do SSL upgrades when no "tcp-request" rule is defined, I've decided to change the default behavior. I've kept the "defer-ssl-upgrade" keyword, but now, "skip-ssl-upgrade" could be more appropriate. If you prefer, i can do the change. -- Christopher >From 05c

Re: [PATCH] MAJOR: ssl: add 'tcp-fallback' bind option for SSL listeners

2016-03-04 Thread Christopher Faulet
y, if you are agree, this new patch can replace my previous one. Of course, all remarks are welcome. I'll try to do more tests. I quickly checked it on OpenSSL 0.9.8zg and 1.0.2f. -- Christopher >From 07133669314724b2b4462e0eb3e8cd114f3fd3b9 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...

[PATCH] BUG/MINOR: dumpstats: Fix the "Total bytes saved" counter in, backends stats

2016-04-28 Thread Christopher Faulet
Hi, This is just a typo fix. -- Christopher Faulet >From bfc2be71794987fcfb0b5806607617431e23a65d Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@qualys.com> Date: Thu, 28 Apr 2016 15:09:31 +0200 Subject: [PATCH] BUG/MINOR: dumpstats: Fix the "Total bytes saved" c

Re: Gzip compression and transfer: chunked

2017-01-31 Thread Christopher Faulet
Hi Vladimir, Sorry for my late reply, I was pretty busy these last days. I investigated a little on your problem. I've done some tests and carefully read the code. Everything seems to work as expected. I was not able to reproduce what you experienced with HAProxy 1.7.2. First, in HAProxy,

[PATCH] 2 fixes for replace-header rules

2017-02-08 Thread Christopher Faulet
hristopher Faulet >From 8c9496b9b568ec68312210af4a2cfcd3757c7230 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Wed, 8 Feb 2017 12:17:07 +0100 Subject: [PATCH 1/2] BUG/MEDIUM: http: Prevent replace-header from overwriting a buffer X-Bogosity: Ham, tests=bo

Re: Strange behavior of sample fetches in http-response replace-header option

2017-02-08 Thread Christopher Faulet
t rules. I submitted a patch and it will be merged soon by Willy (see "[PATCH] 2 fixes for replace-header rules"). Thanks -- Christopher Faulet

[PATCH] BUG/MEDIUM: filters: Do not truncate HTTP response when body length is undefined

2017-02-08 Thread Christopher Faulet
Hi, This patch fixes the bug reported by Kristjan Koppel and Brian Loss in the thread "Gzip compression and transfer: chunked". It should be backported in 1.7 Kristjan and Brian, thanks for your help. -- Christopher Faulet >From 23b39e87cce785437950552f5be0744b5768914a Mon Se

Re: Gzip compression and transfer: chunked

2017-02-06 Thread Christopher Faulet
Hi guys, Could you check if the attached patch fixes your bug please ? If I'm right, the bug is about a premature close of the server connection when the content length cannot be determined (neither "Content-Length" nor "Transfer-encoding" headers) if a filter is used (here, the

Re: Gzip compression and transfer: chunked

2017-02-03 Thread Christopher Faulet
Le 03/02/2017 à 14:36, Kristjan Koppel a écrit : Hi! I seem to have run into the same (or at least similar) problem as reported by Vladimir Mihailenco a little while ago. I'm running HAProxy v1.7.2 and my backend server is etcd v2.3.7. The client application is using HTTP/1.0 and I have

Re: Gzip compression and transfer: chunked

2017-01-23 Thread Christopher Faulet
Le 23/01/2017 à 11:54, Vladimir Mihailenco a écrit : Hi, I am using haproxy as load balancer/reverse proxy for Rails/Go application. I am upgrading from working Haproxy 1.6 config to 1.7.2. And it looks like I need to change my existing config, because Haproxy 1.7 truncates responses from

Re: Gzip compression and transfer: chunked

2017-01-25 Thread Christopher Faulet
Le 24/01/2017 à 10:55, Vladimir Mihailenco a écrit : This is the config - https://gist.github.com/vmihailenco/9010ad37f5aeb800095a6b18909ae7d5. Backends don't have any options. I already tried to remove `http-reuse safe`, but it does not make any difference. Haproxy 1.7 with compression (HTML

Re: TLS-PSK: making a http(s) lookup call from inside haproxy code

2017-02-23 Thread Christopher Faulet
yet). BTW, in the thread about the TLS-PSK support, it was suggested to use a map to handle identities. When it will be done, it will be possible to dynamically update the map. -- Christopher Faulet

Re: Opinion about blog post of SPOE

2017-02-16 Thread Christopher Faulet
his requires changes in the HTTP parser, so it is a bit tricky. And new sample fetches need to be added. So there is still a lot of work before you can implement a fully functional WAF. But I'm on it and all help/suggestion/remarks are welcome :) -- Christopher Faulet

Re: Opinion about blog post of SPOE

2017-02-17 Thread Christopher Faulet
s in HAProxy for now. -- Christopher Faulet

Re: [PATCH] MAJOR: filters: Add filters support

2016-09-18 Thread Christopher Faulet
On 18/09/2016 04:17, Bertrand Jacquin wrote: > Hi Christopher and Willy, > > Today I noticed data corruption when haproxy is used for compression > offloading. I bisected twice, and it lead to this specific commit but > I'm not 100% confident this commit is the actual root cause. > > HTTP body

Re: [PATCH] MAJOR: filters: Add filters support

2016-09-19 Thread Christopher Faulet
Le 18/09/2016 à 04:17, Bertrand Jacquin a écrit : > Today I noticed data corruption when haproxy is used for compression > offloading. I bisected twice, and it lead to this specific commit but > I'm not 100% confident this commit is the actual root cause. > > HTTP body coming from the nginx

[PATCH] New filter callbacks: attach, detach and stream_set_backend

2016-09-22 Thread Christopher Faulet
Hi Willy, Here are quite old pending patches I had to submit. Thanks, -- Christopher >From a20ac171da06f16cb0bc1fb49cbf1939156cb2af Mon Sep 17 00:00:00 2001 From: Christopher Faulet <christopher.fau...@capflam.org> Date: Tue, 21 Jun 2016 11:42:37 +0200 Subject: [PATCH 1/3] MEDIUM: fil

Re: [PATCH] MAJOR: filters: Add filters support

2016-09-22 Thread Christopher Faulet
i Bertrand, Thanks for all these information. It helps me to find the bug. I attached a patch. Could you check if it fixes your bug ? Willy, if Bertrand confirms that his bug is gone, and if everything is ok for you, you will be able to merge it. -- Christopher Faulet >From d756fba92d1c14ab80c2

Re: [PATCH] BUG: spoe: Fix parsing of SPOE actions in ACK frames

2016-11-24 Thread Christopher Faulet
Le 24/11/2016 à 19:50, Willy Tarreau a écrit : Hi Christopher, On Thu, Nov 24, 2016 at 03:06:13PM +0100, Christopher Faulet wrote: >From 7ed3c2942d57ea2ddfc8973cce9cc1c94bca01da Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Thu, 24 Nov 2016 14:53

[PATCH] BUG: spoe: Fix parsing of SPOE actions in ACK frames

2016-11-24 Thread Christopher Faulet
Hi, Here is a small bug fix on SPOE filter. -- Christopher >From 7ed3c2942d57ea2ddfc8973cce9cc1c94bca01da Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Thu, 24 Nov 2016 14:53:22 +0100 Subject: [PATCH] BUG: spoe: Fix parsing of SPOE actions in ACK

Re: CONNECT method broken in 1.7?

2016-11-28 Thread Christopher Faulet
sense) : commit d7c9196ae56e8ee6babca07ec2ec98a4146bcfd1 Author: Christopher Faulet <cfau...@qualys.com> AuthorDate: Thu Apr 30 11:48:27 2015 +0200 Commit: Willy Tarreau <w...@1wt.eu> CommitDate: Tue Feb 9 14:53:15 2016 +0100 MAJOR: filters: Add fil

Re: HAProxy 1.7 memory leak?

2016-12-08 Thread Christopher Faulet
Le 08/12/2016 à 09:35, rickytato rickytato a écrit : I'm testing HAProxy 1.7.0 (I'm using 1.6.x from several time) but I notice this strange thing, seen that memory continue to growing. Could you provide the output of "haproxy -vv" command and more information about your HAProxy

[PATCH] BUG/MINOR: stream: Fix how backend-specific analyzers are set, on a stream

2017-01-12 Thread Christopher Faulet
-- Christopher >From 73b8871a5e31004ec305a3eb2cd4747c4f569d5e Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Mon, 9 Jan 2017 16:33:19 +0100 Subject: [PATCH] BUG/MINOR: stream: Fix how backend-specific analyzers are set on a stream X-Bogosity: Ham, tests=b

[PATCH] BUG/MINOR: Fix the sending function in Lua's cosocket

2016-12-20 Thread Christopher Faulet
This bug was reported by Thierry. -- Christopher >From 62d2733d05feb49d070094667dc25b0e716ab940 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Mon, 19 Dec 2016 09:29:06 +0100 Subject: [PATCH] BUG/MINOR: Fix the sending function in Lua's cosocket X-Bogo

Re: 100% cpu usage with compression in haproxy.cfg

2017-03-30 Thread Christopher Faulet
Le 30/03/2017 à 11:50, Christopher Faulet a écrit : Le 29/03/2017 à 13:23, Cyril Bonté a écrit : De: "Cyril Bonté" <cyril.bo...@free.fr> À: nos...@mrietzler.de Cc: haproxy@formilux.org Envoyé: Mercredi 29 Mars 2017 12:36:01 Objet: Re: 100% cpu usage with compression in haproxy.

Re: 100% cpu usage with compression in haproxy.cfg

2017-03-30 Thread Christopher Faulet
ngth, which will produce a 100% cpu loop when the request is made through haproxy. I add Christopher Faulet to the thread, maybe those details will help. Hi all, Here is 2 patches that fix the bugs. I made some tests and it seems to work without breaking other use cases. Could you c

Re: 100% cpu usage with compression in haproxy.cfg

2017-03-29 Thread Christopher Faulet
ngth, which will produce a 100% cpu loop when the request is made through haproxy. I add Christopher Faulet to the thread, maybe those details will help. Hi, Thanks for these information. I found the bug. It is a collateral damage introduced by the commit e6006245. I'm on it. -- Christopher Faulet

Minor HTTP patches

2017-03-31 Thread Christopher Faulet
Hi Willy, Following my recent patches on HTTP/1.0 responses without content-length when compression filter is enabled, here is 2 small patches. The first one is a small code cleanup and the second one adds handy debug messages. Thanks, -- Christopher Faulet >F

[PATCH] BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers

2017-03-31 Thread Christopher Faulet
Willy, I tagged this patch as a bug. But I don't found a way to hit it for now. It can be backported or not, as you wish. -- Christopher Faulet >From 4ffdfbed993eaeb6c777c148e1eb6a712bfc9e18 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Wed, 29 Mar 2

[PATCH] BUG/MINOR: http: Fix conditions to clean up a txn and to handle the next request

2017-03-31 Thread Christopher Faulet
Willy, Another fix (with some cleanup in other paches). The first one (and probably the second one) can be backported. But I don't know if this is mandatory. It is really tricky to find conditions where it could be a problem. Thanks -- Christopher Faulet >F

Re: [PATCH] BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers

2017-03-31 Thread Christopher Faulet
Le 31/03/2017 à 14:26, Willy Tarreau a écrit : On Fri, Mar 31, 2017 at 11:29:43AM +0200, Christopher Faulet wrote: Willy, I tagged this patch as a bug. But I don't found a way to hit it for now. It can be backported or not, as you wish. Thanks Christopher. I don't know either how to trigger

Re: [PATCH] BUG/MINOR: http: fix typo in http_apply_redirect_rule

2017-03-21 Thread Christopher Faulet
Le 21/03/2017 à 07:43, Willy Tarreau a écrit : On Mon, Mar 20, 2017 at 11:08:20AM +0100, Christopher Faulet wrote: Hi, Here is a little patch fixing a bug. It should be backported in 1.7. Thanks Christopher. Are you sure it's *this* minor ? I suspect that not having it could break keep-alive

[PATCH] BUG/MINOR: http: fix typo in http_apply_redirect_rule

2017-03-20 Thread Christopher Faulet
Hi, Here is a little patch fixing a bug. It should be backported in 1.7. Thanks, -- Christopher Faulet >From 11fea91789bf795d8924d37a4f50c100f2cd3805 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Fri, 10 Mar 2017 13:52:30 +0100 Subject: [PATCH] BUG/MI

Re: WebSocket + compression + timeout tunnel broken in v1.7?

2017-03-20 Thread Christopher Faulet
kported in 1.7. If you're curious, the commit fixing the bug is e600624 ("BUG/MEDIUM: filters: Fix channels synchronization in flt_end_analyze"). You can safely apply it on 1.7.3. -- Christopher Faulet

Re: ModSecurity: First integration patches

2017-04-12 Thread Christopher Faulet
MINOR", it is about spoe functions. - The exemple of ModSecurity compilation can be improved. It is based on my local distro. The feedback are welcome. Hi Thierry, Really nice ! I'll take a look at it soon. Glad to see the first service that uses the SPOE ! Good job. -- Christopher Faulet

Re: ModSecurity: First integration patches

2017-04-13 Thread Christopher Faulet
ceful stop). This way, for a specific connection, it would be possible to wait for last ACK frames without sending new frames to the SPOA. Then stopping the SPOA listeners to let the SPOP health check failed should do the trick, I guess. -- Christopher Faulet

Re: ModSecurity: First integration patches

2017-04-18 Thread Christopher Faulet
Le 18/04/2017 à 14:40, Willy Tarreau a écrit : On Tue, Apr 18, 2017 at 12:15:20PM +0200, Christopher Faulet wrote: I finally took the time to review your patches, mainly the second one, about the sample fetch. I think it would be pity to introduced such complex sample fetch. All parts, except

Re: HTTP Basic Authorisation requests failing with HAProxy 1.7.2

2017-03-10 Thread Christopher Faulet
Le 07/03/2017 à 20:51, Jon Simpson a écrit : On 7 March 2017 at 08:48:37, Christopher Faulet (cfau...@haproxy.com <mailto:cfau...@haproxy.com>) wrote: Thanks for these info. By checking how you named your trace filters, I guess you use the HTTP compression. If I'm right, I think I found

Re: HTTP Basic Authorisation requests failing with HAProxy 1.7.2

2017-03-07 Thread Christopher Faulet
, is to disable the HTTP compression. I'll try to fix it very soon, I just need to talk with Willy to do it the right way. I will keep you informed. -- Christopher Faulet

Re: HTTP Basic Authorisation requests failing with HAProxy 1.7.2

2017-03-02 Thread Christopher Faulet
istener section: filer trace Then run HAProxy in foreground. -- Christopher Faulet

Re: ModSecurity: First integration patches

2017-04-18 Thread Christopher Faulet
Le 12/04/2017 à 10:49, Christopher Faulet a écrit : Le 11/04/2017 à 10:49, Thierry Fournier a écrit : Hi list I join one usage of HAProxy / SPOE, it is WAF offloading. These patches are a first version, it have some limitations describe in the README file in the directory contrib/modsecurity

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Christopher Faulet
eded ? Even if we allow haproxy to be started without default certificate, we can probably remove initial_ctx. That's just I want to be sure to not have missed something :) -- Christopher Faulet

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Christopher Faulet
ations. I'll keep initial_ctx so. I'll quickly proposed a patch to fix certificates generation. -- Christopher Faulet

[PATCH] BUG/MEDIUM: ssl: Fix regression about certificates generation

2017-07-28 Thread Christopher Faulet
Willy, Here is the patch fixing the certificates generation. Thanks -- Christopher Faulet >From 4cfdaa09b218d784e7b814f70981f35d1a7811df Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Fri, 28 Jul 2017 16:56:09 +0200 Subject: [PATCH] BUG/MEDIUM: ssl: Fix r

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Christopher Faulet
Le 28/07/2017 à 12:41, Emmanuel Hocdet a écrit : A useless certificat should be provide with haproxy configuration?, it’s definitely a workaround. It’s legacy from pre SNI. Not really. The default certificate is not useless. It is the certificate to use when no other matches. Expect if

Re: Seeing server termination_state SD after updating from 1.6.11 to 1.7.5

2017-07-06 Thread Christopher Faulet
Le 06/07/2017 à 18:56, Lukas Tribus a écrit : Hi Christopher, Am 30.06.2017 um 11:14 schrieb Christopher Faulet: We are seeing this as well on 1.7.5. The problem seems to be intermittent--it doesn't happen very often when I hit a system with almost no load, but is happening very

Re: 2x filter + keep-alive regressions (1.7 affected)

2017-07-06 Thread Christopher Faulet
r (I'm almost certain it is) ... cheers, lukas [1] http://discourse.haproxy.org/t/keep-alive-behaviour-change-since-1-7-6/1390 Hi guys, Attached patches should fix this bug. The real fix is in the last one. But all the 3 must be backported in 1.7. I made tests with the Lukas con

Re: Seeing server termination_state SD after updating from 1.6.11 to 1.7.5

2017-07-20 Thread Christopher Faulet
Le 19/07/2017 à 22:18, Christopher Faulet a écrit : Because these last weeks, there were several regressions on this part (the end of the HTTP transaction), I prefer to be careful this time. Every time I fixed a bug in one side, this broke something else from another one... And because I said

[PATCH] Handle SMP_T_METH samples in smp_dup/smp_is_safe/smp_is_rw

2017-07-24 Thread Christopher Faulet
Willy, Here are small patches with minor changes about samples. -- Christopher Faulet >From 364139ba3764294acbad413a4cdde94a6ea1289b Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Mon, 24 Jul 2017 16:24:39 +0200 Subject: [PATCH 3/3] MINOR: samples: Don't

Re: [PATCH] MEDIUM: ssl: allow haproxy to start without default certificate

2017-07-28 Thread Christopher Faulet
. -- Christopher Faulet

Re: Passing SNI value ( ssl_fc_sni ) to backend's verifyhost.

2017-07-26 Thread Christopher Faulet
could you check the patch in attachment to confirm it works ? -- Christopher Faulet >From afe2d426c6aeb82aa11af842e8f75f54a2d9130d Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Wed, 26 Jul 2017 11:50:01 +0200 Subject: [PATCH] BUG/MINOR: ssl: Fix check aga

Re: Seeing server termination_state SD after updating from 1.6.11 to 1.7.5

2017-07-19 Thread Christopher Faulet
Le 06/07/2017 à 21:18, Christopher Faulet a écrit : Le 06/07/2017 à 18:56, Lukas Tribus a écrit : Hi Christopher, Am 30.06.2017 um 11:14 schrieb Christopher Faulet: We are seeing this as well on 1.7.5. The problem seems to be intermittent--it doesn't happen very often when I hit a system

Re: Seeing server termination_state SD after updating from 1.6.11 to 1.7.5

2017-06-30 Thread Christopher Faulet
.com/haproxy@formilux.org/msg26543.html -- Christopher Faulet diff --git a/src/proto_http.c b/src/proto_http.c index e5f67e5..521743a 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -6958,14 +6958,6 @@ int http_response_forward_body(struct stream *s, struct channel *res, int an_bit if

Re: 1.7.6 redirect regression (commit 73d071ecc84e0f26ebe1b9576fffc1ed0357ef32)

2017-06-21 Thread Christopher Faulet
f395b4380e "BUG/MEDIUM: http: Drop the connection establishment when a redirect is performed"). I attached the patch. Could you quickly check if it fixes your bug (it should do so) ? It was not backported in 1.7 because we thought it only affected the 1.8. I will check with Willy.

Re: SD Termination state after upgrade from 1.5.12 to 1.7.3

2017-06-22 Thread Christopher Faulet
Le 16/06/2017 à 16:19, Christopher Faulet a écrit : Le 16/06/2017 à 13:29, Juan Pablo Mora a écrit : Linux version: Red Hat Enterprise Linux Server release 5.11 (Tikanga) Linux dpoweb08 2.6.18-417.el5 #1 SMP Sat Nov 19 14:54:59 EST 2016 x86_64 x86_64 x86_64 GNU/Linux HAProxy versión: 1.7.5

Re: haproxy does not capture the complete request header host sometimes

2017-06-21 Thread Christopher Faulet
Le 13/06/2017 à 14:16, Christopher Faulet a écrit : Le 13/06/2017 à 10:31, siclesang a écrit : haproxy balances by host,but often captures a part of request header host or null, and requests balance to default server. how to debug it , Hi, I'll try to help you. Can you share your

Re: Issue while using Proxy protocol in TCP mode

2017-06-13 Thread Christopher Faulet
eader" This breaks of my application often. But works swiftly when removed the proxy protocol options. Any help would be great. Thanks, Vijay B -- Christopher Faulet

Re: haproxy does not capture the complete request header host sometimes

2017-06-13 Thread Christopher Faulet
Le 13/06/2017 à 10:31, siclesang a écrit : haproxy balances by host,but often captures a part of request header host or null, and requests balance to default server. how to debug it , Hi, I'll try to help you. Can you share your configuration please ? It could help to find a potential

[PATCH] BUG/MINOR: acls: Set the right refflag when patterns are, loaded from a map

2017-06-14 Thread Christopher Faulet
Hi, Here is a little patch to fix a little bug :) Thanks -- Christopher Faulet >From e11c7f0ffe159f1e77c2c2568dd5f217f67327ee Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Wed, 14 Jun 2017 14:41:33 +0200 Subject: [PATCH] BUG/MINOR: acls: Set the righ

Re: [PATCH] BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING

2017-06-14 Thread Christopher Faulet
Le 14/06/2017 à 16:47, Willy Tarreau a écrit : On Wed, Jun 14, 2017 at 03:43:19PM +0200, Christopher Faulet wrote: A filter can choose to loop when a HTTP message is in the state HTTP_MSG_ENDING. But the transaction is terminated with an error if the input is closed (CF_SHUTR set on the channel

[PATCH] BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0

2017-06-14 Thread Christopher Faulet
Faulet >From f8d90c49944a64b153091a6f524dd22db26b8c80 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Thu, 8 Jun 2017 22:18:52 +0200 Subject: [PATCH] BUG/MINOR: ssl: Be sure that SSLv3 connection methods exist for openssl < 1.1.0 For openssl 1.0.2, SSLv3_s

[PATCH] BUG/MINOR: http/filters: Be sure to wait if a filter loops in HTTP_MSG_ENDING

2017-06-14 Thread Christopher Faulet
This one is about filters. Thanks -- Christopher Faulet >From 5358c71aa67a5fe21f29063bc7f837073ef8d20d Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Fri, 31 Mar 2017 15:37:29 +0200 Subject: [PATCH] BUG/MINOR: http/filters: Be sure to wait if a fil

Re: SD Termination state after upgrade from 1.5.12 to 1.7.3

2017-06-16 Thread Christopher Faulet
is no content-length nor transfer-encoding header. But it is a bit tricky because it is partly a timing issue. Depending when the connection close is catched, an error is triggered or not. So I'm on it. Stay tuned. -- Christopher Faulet

Re: Issue while using Proxy protocol in TCP mode

2017-06-14 Thread Christopher Faulet
there with a stable release, be sure to have the "send-proxy" directive on your server line (the one which forwards the traffic to haproxy itself). If you have any doubt about your configuration, please, share it. -- Christopher Faulet

Re: Issue while using Proxy protocol in TCP mode

2017-06-14 Thread Christopher Faulet
Le 14/06/2017 à 13:07, Vijay Bais a écrit : On Wed, Jun 14, 2017 at 3:06 PM, Christopher Faulet <cfau...@haproxy.com <mailto:cfau...@haproxy.com>> wrote: Ok, If the problem is still there with a stable release, be sure to have the "send-proxy" directive on you

Re: cppcheck finding

2017-09-15 Thread Christopher Faulet
and set up and maintain the build/test matrix. -- Christopher Faulet

Re: cppcheck finding

2017-09-15 Thread Christopher Faulet
ere are bugs there. The worst is on the compression filter. I attached patches to fix them. Willy, could you merge it please ? Some of them must be backported in 1.7. Thanks, -- Christopher Faulet >From 362bf07d61b06469bff839886d52db24daa2aa5e Mon Sep 17 00:00:00 2001 From: Christoph

Re: Haproxy segfault error 4 in libc-2.24

2017-10-05 Thread Christopher Faulet
undefined behavior. I fixed the bug but I'm going to send the patch separately to this thread to be sure everyone see it. -- Christopher Faulet

Re: [PATCH] BUG/MEDIUM: http: Return an error when url_dec sample converter failed

2017-10-05 Thread Christopher Faulet
Le 05/10/2017 à 10:52, Christopher Faulet a écrit : Hi, Here is the patch that fixes the bug reported by Marcus (see "Haproxy segfault error 4 in libc-2.24"). Sorry, here is a new version of my patch. No reason to consider zero-length string as an error. -- Christopher Fa

[PATCH] BUG/MEDIUM: http: Return an error when url_dec sample converter failed

2017-10-05 Thread Christopher Faulet
Hi, Here is the patch that fixes the bug reported by Marcus (see "Haproxy segfault error 4 in libc-2.24"). Thanks -- Christopher Faulet >From 077217437a09e5d81216d377d9aff73dc1ce7122 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Thu, 5 Oct

Re: another cppcheck finding

2017-10-04 Thread Christopher Faulet
planned to add the support of threads in HAProxy 1.8. It requires many changes to make all parts thread-safe. DNS is one of them. Note that currently HAProxy is not multithreaded, there is no thread-safety issue. -- Christopher Faulet

Re: another cppcheck finding

2017-10-04 Thread Christopher Faulet
one. I will send everything to Willy in few days. So don't bother with it. Thanks -- Christopher Faulet

[PATCH] BUG/MEDIUM: http: Fix a regression bug when a HTTP response is in TUNNEL mode

2017-09-04 Thread Christopher Faulet
Hi all, Finally I reworked my previous patch. This one should fix the bug, without side effect (AFAIK). It fixes slowdowns experienced on 1.7.9 for HTTP responses with undefined body length when the compression is enabled. -- Christopher Faulet >From c42035858a58786c296ae3cf3c2420e4fe82a

Re: HTTP/1.0 with compression enabled broken again in v1.7.9

2017-08-29 Thread Christopher Faulet
to be sure. This will be my punishment. Thanks, -- Christopher Faulet >From 57e627243b02021b3913b33c8bd5c2ed92f82303 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Tue, 29 Aug 2017 16:06:38 +0200 Subject: [PATCH] BUG/MEDIUM: http: Fix a regression bug in http_resync_s

Re: haproxy-1.8.0, sending a email-alert causes 100% cpu usage, FreeBSD 11.1

2017-11-28 Thread Christopher Faulet
for the report. Hi Pieter, Here is a patch that should fix the deadlock. Could you confirm it fixes your bug ? Emeric, this patch should be good, but take a look on it, just to be sure. Thanks -- -- Christopher Faulet >From 5fd4083becd141080ec8cf0923b222e0ae6119af Mon Sep 17 00:00:

Re: 1.8.0 stuck in write(threads_sync_pipe[1], "S", 1)

2017-12-02 Thread Christopher Faulet
led report. There is a bug in the sync-point, when the same thread requests a synchronization many times. And, it is easier to encountered this bug with only one thread. Could you check the attached patch ? It should fix the bug. -- Christopher Faulet >From b8475f5bf9098b667fabada7b88de33c62b42c

[PATCH] BUG/MEDIUM: mworker: Close log socket during a reload

2017-12-18 Thread Christopher Faulet
Faulet >From a9a69d0a5cc9fcc7be84966fc5861cc17400a849 Mon Sep 17 00:00:00 2001 From: Christopher Faulet <cfau...@haproxy.com> Date: Mon, 18 Dec 2017 14:36:44 +0100 Subject: [PATCH] BUG/MEDIUM: mworker: Close log socket during a reload A log socket (UPD or UNIX) is opened by the master d

Re: 1.8.1 backend stays 'DOWN' when dns resolvers and http health checks are used

2017-12-18 Thread Christopher Faulet
heck inter 1000 Hi, There have been some fixes since the 1.8.1. One of them could fix your problem: http://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=80b92902 Could you check with the last 1.8 source snapshot (http://www.haproxy.org/download/1.8/src/snapshot/haproxy-ss-LATEST.tar.gz) ? Thanks -- Christopher Faulet

Re: Diagnose a PD-- status

2017-11-06 Thread Christopher Faulet
Hi, Le 02/11/2017 à 17:16, Mildis a écrit : [WARNING] 305/144718 (21260) : HTTP compression failed: unexpected behavior of previous filters This warning is very suspicious. It should not happen. Could you share your configuration and "haproxy -vv" output please ? -- Christopher Faulet

  1   2   3   4   5   6   >